Clients must have support for TLS/SSL to work with a mongod or a
mongos instance that has TLS/SSL support enabled.

Important

A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document.
This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.

--sslCAFile with the name of the .pem
file that contains the certificate from the Certificate Authority (CA).

Changed in version 3.2.6: MongoDB 3.2.6 adds support for checking a certificate against the
system CA store, allowing you to run the mongo shell with
the --ssl option without including --sslCAFile or
sslAllowInvalidCertificates.

If the mongod or mongos to which the
mongo shell is connecting presents a certificate signed
with a CA trusted by the operating system, the mongo
shell will connect without error. In previous versions of MongoDB,
the mongo shell exited with an error that it could not
validate the certificate.

If your MongoDB deployment uses TLS/SSL, you must also specify the --host option.
mongo verifies that the
hostname of the mongod or mongos to which you are connecting matches
the CN or SAN of the mongod or mongos’s --sslPEMKeyFile certificate.
If the hostname does not match the CN/SAN, mongo will fail to
connect.

Warning

For TLS/SSL connections (--ssl) to mongod and
mongos, if the mongo shell (or MongoDB tools) runs with the
--sslAllowInvalidCertificates option , the mongo shell (or MongoDB tools) will
not attempt to validate the server certificates. This creates a
vulnerability to expired mongod and mongos
certificates as well as to foreign processes posing as valid
mongod or mongos instances. Only use
--sslAllowInvalidCertificates on systems where intrusion
is not possible.

Changed in version 3.2.6: MongoDB 3.2.6 adds support for checking a certificate against the
system CA store, allowing you to run the mongo shell with
the --ssl option without including --sslCAFile or
sslAllowInvalidCertificates.

If the mongod or mongos to which the
mongo shell is connecting presents a certificate signed
with a CA trusted by the operating system, the mongo
shell will connect without error. In previous versions of MongoDB,
the mongo shell exited with an error that it could not
validate the certificate.

If your MongoDB deployment uses TLS/SSL, you must also specify the --host option.
mongo verifies that the
hostname of the mongod or mongos to which you are connecting matches
the CN or SAN of the mongod or mongos’s --sslPEMKeyFile certificate.
If the hostname does not match the CN/SAN, mongo will fail to
connect.

Changed in version 3.2.6: MongoDB 3.2.6 adds support for checking a certificate against the
system CA store, allowing you to run the mongo shell with
the --ssl option without including --sslCAFile or
sslAllowInvalidCertificates.

If the mongod or mongos to which the
mongo shell is connecting presents a certificate signed
with a CA trusted by the operating system, the mongo
shell will connect without error. In previous versions of MongoDB,
the mongo shell exited with an error that it could not
validate the certificate.

If your MongoDB deployment uses TLS/SSL, you must also specify the --host option.
mongo verifies that the
hostname of the mongod or mongos to which you are connecting matches
the CN or SAN of the mongod or mongos’s --sslPEMKeyFile certificate.
If the hostname does not match the CN/SAN, mongo will fail to
connect.

Connect to MongoDB Instance that Validates when Presented with a Certificate¶

Changed in version 3.2.6: MongoDB 3.2.6 adds support for checking a certificate against the
system CA store, allowing you to run the mongo shell with
the --ssl option without including --sslCAFile or
sslAllowInvalidCertificates.

If the mongod or mongos to which the
mongo shell is connecting presents a certificate signed
with a CA trusted by the operating system, the mongo
shell will connect without error. In previous versions of MongoDB,
the mongo shell exited with an error that it could not
validate the certificate.

If your MongoDB deployment uses TLS/SSL, you must also specify the --host option.
mongo verifies that the
hostname of the mongod or mongos to which you are connecting matches
the CN or SAN of the mongod or mongos’s --sslPEMKeyFile certificate.
If the hostname does not match the CN/SAN, mongo will fail to
connect.

For example, if mongod is running with weak certificate
validation, both of the following mongo shell clients can
connect to that mongod:

The MongoDB Cloud Manager and Ops Manager Monitoring agents will also have to use
encrypted communication in order to gather its statistics. Because the
agents already encrypted communications to the MongoDB Cloud Manager/Ops Manager servers,
this is just a matter of enabling TLS/SSL support in MongoDB Cloud Manager/Ops Manager on a per
host basis.